Improvement Request – SIEM Integration and Log Management Enhancements
Improvement Request – SIEM Integration and Log Management Enhancements
5 votes
Hello,
While working on a SIEM integration for Devolutions, I’ve encountered several limitations regarding the Get-HubSiemLogs command.
Since the solution currently cannot directly connect to a SIEM for live log forwarding, I started exploring possible automation approaches and noticed several issues related to how logs are generated and structured.
Identified issues :
- The Data field appears to be encrypted, and no information is available about its content or decoding process.
- The UserIpAddress field always returns the class name Devolutions.Hub.Clients.LogIpAddress instead of the actual IP address.
- There is no clear way to identify the user who triggered the event — only their internal account ID is shown.
- There is no log severity level (e.g., INFO, WARN, ERROR), which makes it difficult to filter or prioritize log events.
Would it be possible to consider improving the log structure to address the points listed above?
Additional feature requests :
- Real-time log streaming :
- It would be very useful to have a feature similar to the Linux tail -f command, allowing continuous and real-time log monitoring. Currently, the only available options are “Weekly” and “Daily” log packages, which are not practical for active monitoring of a critical service like Devolutions Hub.
- Log forwarding capability :
- For the SaaS version, could you add an option to forward logs to an external application using an authentication key? In our case, we use Sekoia, which doesn’t have a native intake for Devolutions yet — but we could build one, provided we can receive logs directly from your platform.
Thank you in advance for your attention to these points and for considering these improvements.
Please let me know if you need additional details or examples from my current integration tests.
Kind regards.
All Comments (8)
Good Afternoon Alexandre,
First, thanks for your post and suggestions.
We will create necessary internal tickets to investigate the different issues mentioned in this post.
We will also review your two feature requests internally and assess their feasibility. We’ll get back to you as soon as we have an update on this.
Finally, have you seen the possibility to push logs to azure via our reporting service? Would this help?
https://docs.devolutions.net/hub/kb/how-to-articles/devolutions-hub-log-ingestion-log-analytics/
Best regards
Hello Dominic,
Thank you for your response.
Regarding the Azure integration, this unfortunately does not meet our requirements.
First, it limits log forwarding exclusively to Azure services.
Additionally, our goal is to integrate log forwarding directly into our SIEM.
We prefer not to rely on an intermediary service, as this would complicate monitoring and event correlation.
If the Azure service were to experience an outage, we would lose visibility and would no longer be able to monitor Devolution's tools effectively.
For a bit more context, here is how our logging pipeline works:
- Log collection (e.g., via rsyslog)
- Forwarding to our log forwarder
- Ingestion into our SIEM (Sekoia.io) for parsing and analysis by the SOC team
I also have an additional feature request:
It would be very helpful to tag logs based on the originating product (e.g., Devolutions RDM, Hub, PAM, Server, etc.).
This would greatly improve our ability to quickly identify the source of potential issues.
Thank you nevertheless for sharing the documentation.
Kind regards,
Alexandre
Good Morning Alexandre,
Okay, thank you for this additional information. I will consult with the team to see what solutions are possible in this situation. I will keep you informed of the different options and the estimated timeline as soon as possible
Regards
Good Morning Alexandre,
Here are some update to your questions.
- Data field encrypted, this seem to be possible, but will require additional development. An internal ticket has been created, and I will update you as soon as the feature is available.
- Regarding the UserIPAddress field, you should be able to retrieve the requested information using the object's structure, like this:
$logs = Get-HubLogs;
$log[0].LogIpAddress.Ipv4
- For associating events with user accounts, here's a small script that should give you some ideas to explore:
$logs = Get-HubSiemLogsWeekly
$users = Get-HubUser
$userLookup = @{}
foreach ($u in $users) {
$userLookup[$u.Id] = $u.Name
}
$logs | ForEach-Object {
$_ | Add-Member -NotePropertyName UserName -NotePropertyValue $userLookup[$_.UserId]
$ip = $_.UserIpAddress.Ipv4
$_ | Add-Member -NotePropertyName Ip4Adress -NotePropertyValue $ip -Force
}
- Severity level: Unfortunately, we don't log this information; we only record these events as data. This is definitely something that can be improved. I will discuss it internally to see what can be done.
Regarding the requests for additional features, it seems feasible, but it will require some time to analyze and determine if/how it can be implemented in the system. I will keep you informed as soon as I have any updates.
I hope this helps. Feel free to ask any further questions.
Hi Dominic,
Thank you for the update.
We will wait for the improvement; we do not need it immediately, but this feature seems quite important for a critical tool such as the Devolutions suite.
Regarding both scripts, the approach is interesting but not suitable for our production needs.
Our objective is to integrate your logs into our SIEM, which requires comprehensive information such as username, actions, log level, IP address, etc. As you mentioned, adding the log level soon is a very positive development.
However, for UserName and IPAddress, the code examples provided cannot be used in a production environment.
Since a SIEM must ingest logs almost instantly, and considering the number of users we have, we cannot run a script for each log entry we receive. This would introduce latency, consume resources, and could become a point of failure.
Even if we build a table mapping IDs to usernames as we discover them, ingesting complete logs would still require performing lookups for each log type, which is not viable.
My apologies if my previous message was not clear.
I would like to request that IPAddresses and UserNames be included directly in the logs. I do not fully understand the rationale for omitting them... perhaps for security considerations?
Thank you for your assistance.
Kind regards,
Alexandre DE MEULENEIRE.
Good Morning Alexandre,
I understand. I will take these comments into account and discuss with the team what we can do. At this stage, there is no quick fix, so implementation may take some time.
I will get back to you as soon as I have any news, whether positive or negative.
Thank you for your trust.
Good Morning Alexandre,
I understand. I will take these comments into account and discuss with the team what we can do. At this stage, there is no quick fix, so implementation may take some time.
I will get back to you as soon as I have any news, whether positive or negative.
Thank you for your trust.
@Dominic Dansereau
Hi Dominic,
Hope you're doing well.
Do you have any updates regarding this improvement ?
Thank you in advance.
Have a great day.
Good Afternoon Alexandre
Here is a quick update regarding this feature request. A ticket has been created, and the ticket is currently being processed for priority. As I have already mentioned, since this is a feature request and we cannot really apply a quick fix, it may take some time to get started. I will update this ticket as soon as I have an update, even if it's just about priority, or if I can inform you about a deliverable.
Thank you for the suggestion, and feel free to contact us if you have any additional questions regarding this request.
Best regards